{"id":29502,"date":"2021-08-03T05:28:10","date_gmt":"2021-08-02T18:28:10","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/malware-link-under-the-picture\/29502\/"},"modified":"2021-08-03T05:28:39","modified_gmt":"2021-08-02T18:28:39","slug":"malware-link-under-the-picture","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/malware-link-under-the-picture\/29502\/","title":{"rendered":"E-mail with a malicious link"},"content":{"rendered":"<p>When a conversation touches on credential theft, e-mail messages with phishing links tend to come up first. However, those messages represent just one means of obtaining user names and passwords for various online services. Scammers still mail links to spyware regularly, too. One trick they use to disguise those links is including an image that appears to be an attachment.<\/p>\n<h2>E-mail with a malicious link<\/h2>\n<p>Today, we\u2019re looking at a targeted e-mail attack. The cybercriminals in question made their e-mail look credible, sending an RFQ (request for quotation) to a provider of industrial services and equipment vendor, with guidelines attached.<\/p>\n<p>Industrial companies receive such requests fairly often, and account managers will typically open the guideline document and prepare a proposal, glossing over any slight discrepancies such as differences between the domain name and the sender\u2019s signature. What we are interested in, here, is how cybercriminals get recipients to run the malware. Here\u2019s what the e-mail looks like.<\/p>\n<div id=\"attachment_40979\" style=\"width: 885px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/08\/03052820\/malware-link-under-the-picture-letter.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-40979\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/08\/03052820\/malware-link-under-the-picture-letter.jpg\" alt=\"A letter with a link to malware\" width=\"875\" height=\"492\" class=\"size-full wp-image-29503\"><\/a><p id=\"caption-attachment-40979\" class=\"wp-caption-text\">A letter with a link to malware<\/p><\/div>\n<p>See the attached PDF? Well, what you\u2019re looking at is not an attachment at all. Outlook does display e-mail attachments like this, but here you\u2019ll find a number of differences:<\/p>\n<ul>\n<li>The attachment icon should match the application associated with PDF files in your system. If not, then either it\u2019s not an attachment or whatever\u2019s attached is not a PDF file;<\/li>\n<li>Details about the file \u2014 name, type, size \u2014 should appear if you hover your mouse over a real attachment. You shouldn\u2019t instead see a link to some shady website;<\/li>\n<li>The arrow next to the file name should be highlighted and function as a button that brings up a context menu;<\/li>\n<li>The attachment should appear in a separate block, not in the body of the e-mail, something like this:<\/li>\n<\/ul>\n<div id=\"attachment_40980\" style=\"width: 378px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/08\/03052828\/malware-link-under-the-picture-attachment.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-40980\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/08\/03052828\/malware-link-under-the-picture-attachment.jpg\" alt=\"Authentic PDF attachment\" width=\"368\" height=\"96\" class=\"size-full wp-image-29505\"><\/a><p id=\"caption-attachment-40980\" class=\"wp-caption-text\">Authentic PDF attachment<br><\/p><\/div>\n<p>In fact, this object disguised as a PDF attachment is just a regular image. If you try selecting parts of the message with your mouse or using Ctrl-A to select all, that much will be apparent.<\/p>\n<div id=\"attachment_40981\" style=\"width: 570px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/08\/03052837\/malware-link-under-the-picture-image.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-40981\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2021\/08\/03052837\/malware-link-under-the-picture-image.jpg\" alt=\"An image posing as a PDF attachment\" width=\"560\" height=\"232\" class=\"size-full wp-image-29507\"><\/a><p id=\"caption-attachment-40981\" class=\"wp-caption-text\">An image posing as a PDF attachment<\/p><\/div>\n<p>The image obscures a hyperlink to a malicious program. Clicking the link downloads a spyware Trojan.<\/p>\n<h2>Attack payload<\/h2>\n<p>In this particular case, the malicious link pointed to an archive named Swift_Banco_Unicredit_Wire_sepa_export_000937499223.cab, which contained a loader for a Trojan Kaspersky identifies as <a href=\"https:\/\/threats.kaspersky.com\/en\/threat\/Trojan-Spy.Win32.Noon\/\" target=\"_blank\" rel=\"nofollow noopener\">Trojan-Spy.Win32.Noon<\/a>, a fairly commonplace spyware Trojan. Known since 2017, it enables attackers to steal passwords and other information from input forms.<\/p>\n<h2>How to stay safe<\/h2>\n<p>To keep spyware Trojans from harming your company, install a <a href=\"https:\/\/www.kaspersky.com.au\/small-to-medium-business-security?icid=au_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">reliable security solution<\/a> on every device with Internet access to prevent malware from running.<\/p>\n<p>Additionally, <a href=\"https:\/\/k-asap.com\/en\/?icid=au_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\" rel=\"noopener\">train your employees<\/a> to detect cybercriminals\u2019 tricks in e-mails.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>Spam and phishing e-mails are not the only threats you might find in your mailbox. Cybercriminals are still using good old links to malware.<\/p>\n","protected":false},"author":2598,"featured_media":29509,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2993,2994],"tags":[1815,714,241],"class_list":{"0":"post-29502","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-e-mail","11":"tag-spyware","12":"tag-trojan"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/malware-link-under-the-picture\/29502\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/malware-link-under-the-picture\/23125\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/malware-link-under-the-picture\/18607\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/malware-link-under-the-picture\/25109\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/malware-link-under-the-picture\/23134\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/malware-link-under-the-picture\/22475\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/malware-link-under-the-picture\/25753\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/malware-link-under-the-picture\/25245\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/malware-link-under-the-picture\/31192\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/malware-link-under-the-picture\/9891\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/malware-link-under-the-picture\/40978\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/malware-link-under-the-picture\/17415\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/malware-link-under-the-picture\/17876\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/malware-link-under-the-picture\/15100\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/malware-link-under-the-picture\/27145\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/malware-link-under-the-picture\/31349\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/malware-link-under-the-picture\/27359\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/malware-link-under-the-picture\/24166\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/malware-link-under-the-picture\/29307\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/e-mail\/","name":"e-mail"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/29502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=29502"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/29502\/revisions"}],"predecessor-version":[{"id":29508,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/29502\/revisions\/29508"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/29509"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=29502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=29502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=29502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}